<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Because the roles are reversed for things like request objects,
and the whole thing is set up with a common keystore for
convenience. We're not likely to change the structure.<br>
</p>
<p> -- Justin<br>
</p>
<br>
<div class="moz-cite-prefix">On 10/12/2016 4:14 AM, Yannick Béot
wrote:<br>
</div>
<blockquote
cite="mid:CAMer1X6Jvh-4ZCABHv1m3m+3N=w+OsXUGEVpX=z_uJHCroZyqA@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">
<div>
<div>
<div>
<div>Justin,<br>
<br>
</div>
I have created an issue (#1132).<br>
</div>
I have had a quick look at the code. My first idea would be
to separate the validation and signing logic in
DefaultJWTSigningAndValidation<wbr>Service.<br>
<br>
</div>
How come both are merged in the same class? It is pretty
separated in the class with 2 list (signers & validers).<br>
</div>
<div>Either you sign (IdP) or either you validate (RP or RP
authenication by JWT).<br>
</div>
<div><br>
</div>
Yannick<br>
<div><br>
<br>
<br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Oct 12, 2016 at 6:36 AM, <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="#954F72" lang="FR">
<div class="m_-8728529132837741009WordSection1">
<p class="MsoNormal">No problem.</p>
<p class="MsoNormal">I’ll have a look and file an issue
if needed</p>
<span class="">
<p class="MsoNormal"> </p>
<p class="MsoNormal">Envoyé de mon téléphone Windows
10</p>
<p class="MsoNormal"> </p>
</span>
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="border:none;padding:0cm"><b>De :
</b><a moz-do-not-send="true"
href="mailto:jricher@mit.edu" target="_blank">Justin
Richer</a><br>
<b>Envoyé le :</b>mardi 11 octobre 2016 23:05<br>
<b>À : </b><a moz-do-not-send="true"
href="mailto:yannick.beot@gmail.com"
target="_blank">Yannick Béot</a><br>
<b>Cc : </b><a moz-do-not-send="true"
href="mailto:luiz.omori@duke.edu" target="_blank">Luiz
Omori</a>; <a moz-do-not-send="true"
href="mailto:mitreid-connect@mit.edu"
target="_blank">mitreid-connect@mit.edu</a><br>
<b>Objet :</b>Re: [mitreid-connect] JWT Signatures -
which public key?</p>
</div>
<div>
<div class="h5">
<p class="MsoNormal"> </p>
<p class="MsoNormal">Yannick, thanks for that
pointer. Could you please add an issue to the
MITREid Connect project to use those classes? The
references will be helpful as well.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> — Justin</p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Oct 11, 2016, at
4:59 PM, Yannick Béot <<a
moz-do-not-send="true"
href="mailto:yannick.beot@gmail.com"
target="_blank">yannick.beot@gmail.com</a>>
wrote:</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">If you use <span
class="m_-8728529132837741009gmail-nc">JWSVerificationKeySelector
from Nimbus to check the JWT (as
stated <a moz-do-not-send="true"
href="http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens"
target="_blank">http://connect2id.com/<wbr>products/nimbus-jose-jwt/<wbr>examples/validating-jwt-<wbr>access-tokens</a>),
you should be fine.</span>. </p>
<pre style="margin-bottom:12.0pt"><code>JWSKeySelector</code><code><span style="font-family:"Arial",sans-serif"> is filtering keys with a</span> JWKMatcher </code><code><span style="font-family:"Arial",sans-serif">which checks the kid</span> (<a moz-do-not-send="true" href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562" target="_blank">https://bitbucket.org/<wbr>connect2id/nimbus-jose-jwt/<wbr>src/<wbr>3810eb0a96565e7768cd54bf734dfe<wbr>a373ecc561/src/main/java/com/<wbr>nimbusds/jose/jwk/JWKMatcher.<wbr>java?at=4.15&fileviewer=file-<wbr>view-default#JWKMatcher.java-<wbr>562</a>) </code>
<span class="m_-8728529132837741009gmail-nc">JWSVerificationKeySelector </span><span class="m_-8728529132837741009gmail-nc"><span style="font-family:"Arial",sans-serif">is responsible for creating the </span></span><code>JWKMatcher </code><code><span style="font-family:"Arial",sans-serif">based on information from the signature, and especially the kid</span> (<a moz-do-not-send="true" href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70" target="_blank">https://bitbucket.org/<wbr>connect2id/nimbus-jose-jwt/<wbr>src/<wbr>3810eb0a96565e7768cd54bf734dfe<wbr>a373ecc561/src/main/java/com/<wbr>nimbusds/jose/proc/<wbr>JWSVerificationKeySelector.<wbr>java?at=4.15&fileviewer=file-<wbr>view-default#<wbr>JWSVerificationKeySelector.<wbr>java-70</a>)</code></pre><pre><code><span style="font-family:"Arial",sans-serif">@Luiz: what are you using to validate the token?</span> </code></pre><pre style="margin-bottom:12.0pt"> </pre></div><div><p class="MsoNormal"> </p><div><p class="MsoNormal">On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer <<a moz-do-not-send="true" href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>> wrote:</p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><div><p class="MsoNormal">The “kid” will be in the header of the JWT you’re validating. I think we’ve got a long-standing issue to enforce that check in the client library, but it should still work as-is.</p><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal"> — Justin</p></div><div><p class="MsoNormal"> </p><div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><div><div><p class="MsoNormal">On Oct 11, 2016, at 12:27 PM, Luiz Omori <<a moz-do-not-send="true" href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>> wrote:</p></div><p class="MsoNormal"> </p></div></div><div><div><div><div><div><p class="MsoNormal" style="background:white">Well, which “kid” value should we look for? I checked the <root>/.well-known/openid-<wbr>configuration and although it lists the jwk endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to be transmitted offline?</p></div><div><p class="MsoNormal" style="background:white"> </p></div><div><p class="MsoNormal" style="background:white">{</p></div><div><p class="MsoNormal" style="background:white"> "keys":[</p></div><div><p class="MsoNormal" style="background:white"> {</p></div><div><p class="MsoNormal" style="background:white"> "alg":"RS256",</p></div><div><p class="MsoNormal" style="background:white"> "e":"xxx",</p></div><div><p class="MsoNormal" style="background:white"> "n":"xxx”,</p></div><div><p class="MsoNormal" style="background:white"> "kty":"RSA",</p></div><div><p class="MsoNormal" style="background:white"> "use":"enc",</p></div><div><p class="MsoNormal" style="background:white"> <span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><b><span style="color:red">"kid":"<a moz-do-not-send="true" href="http://mc.duke.edu/" target="_blank"><span style="color:#954f72">mc.duke.edu</span></a>"</span></b></p></div><div><p class="MsoNormal" style="background:white"> },</p></div><div><p class="MsoNormal" style="background:white"> {</p></div><div><p class="MsoNormal" style="background:white"> "e":"xxx",</p></div><div><p class="MsoNormal" style="background:white"> "n":"xxx”,</p></div><div><p class="MsoNormal" style="background:white"> "kty":"RSA",</p></div><div><p class="MsoNormal" style="background:white"> <span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><b><span style="color:red">"kid":"Test1"</span></b></p></div><div><p class="MsoNormal" style="background:white"> },</p></div><div><p class="MsoNormal" style="background:white"> {</p></div><div><p class="MsoNormal" style="background:white"> "e":"xxx",</p></div><div><p class="MsoNormal" style="background:white"> "n":"xxx”,</p></div><div><p class="MsoNormal" style="background:white"> "kty":"RSA",</p></div><div><p class="MsoNormal" style="background:white"> <span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><b><span style="color:red">"kid":"Test2"</span></b></p></div><div><p class="MsoNormal" style="background:white"> },</p></div><div><p class="MsoNormal" style="background:white"> {</p></div><div><p class="MsoNormal" style="background:white"> "e":"xxx",</p></div><div><p class="MsoNormal" style="background:white"> "n":"xxx",</p></div><div><p class="MsoNormal" style="background:white"> "kty":"RSA",</p></div><div><p class="MsoNormal" style="background:white"> <span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><b><span style="color:red">"kid":"rsa1"</span></b></p></div><div><p class="MsoNormal" style="background:white"> }</p></div><div><p class="MsoNormal" style="background:white"> ]</p></div><div><p class="MsoNormal" style="background:white">}<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></p></div><div><p class="MsoNormal" style="background:white"> </p></div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div><p class="MsoNormal" style="background:white"><b>From:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b>"<a moz-do-not-send="true" href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>" <<a moz-do-not-send="true" href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>>
<b>Date:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b>Tuesday, October 11, 2016 at 12:16 PM
<b>To:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b>Luiz Omori <<a moz-do-not-send="true" href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>>, "<a moz-do-not-send="true" href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>" <<a moz-do-not-send="true" href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>>
<b>Subject:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b>RE: [mitreid-connect] JWT Signatures - which public key?</p></div></div><div><div><p class="MsoNormal" style="background:white"><span style="font-family:"Times New Roman",serif"> </span></p></div></div><div><p class="MsoNormal" style="background:white">There is a key id present in the header that is interpreted by Nimbus:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=" target="_blank"><span style="color:#954f72">https://tools.ietf.<wbr>org/html/rfc7515#section-4.1.4</span></a></p></div><div><p class="MsoNormal" style="background:white"> </p></div><div><p class="MsoNormal" style="background:white">You should use it to differentiate the keys.</p></div><div><p class="MsoNormal" style="background:white"> </p></div><div><p class="MsoNormal" style="background:white"> </p></div><div><p class="MsoNormal" style="background:white">Envoyé de mon téléphone Windows 10</p></div><div><p class="MsoNormal" style="background:white"> </p></div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div><p class="MsoNormal" style="background:white"><b>De :<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b><a moz-do-not-send="true" href="mailto:luiz.omori@duke.edu" target="_blank"><span style="color:#954f72">Luiz Omori</span></a>
<b>Envoyé le :</b>mardi 11 octobre 2016 18:04
<b>À :<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b><a moz-do-not-send="true" href="mailto:mitreid-connect@mit.edu" target="_blank"><span style="color:#954f72">mitreid-connect@mit.edu</span></a>
<b>Objet :</b>[mitreid-connect] JWT Signatures - which public key?</p></div></div><div><p class="MsoNormal" style="background:white"> </p></div><div><p class="MsoNormal" style="background:white">Hi,</p></div><div><p class="MsoNormal" style="background:white"> </p></div><div><p class="MsoNormal" style="background:white">In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation we use a previously retrieved public key. The issue we are facing is that in our case the <root>/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check for? </p></div><div><p class="MsoNormal" style="background:white"> </p></div><div><p class="MsoNormal" style="background:white">Regards,</p></div><div><p class="MsoNormal" style="background:white">Luiz</p></div><div><p class="MsoNormal" style="background:white"> </p></div></div></div></div><p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;background:white">______________________________<wbr>_________________</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">
<span style="background:white">mitreid-connect mailing list</span>
<span style="background:white"><a moz-do-not-send="true" href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a></span>
<span style="background:white"><a moz-do-not-send="true" href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/mitreid-<wbr>connect</a></span></span></p></div></blockquote></div><p class="MsoNormal"> </p></div></div></blockquote></div><p class="MsoNormal"> </p></div></div></blockquote></div></div><p class="MsoNormal"> </p><p class="MsoNormal"> </p></div></div></div></div></blockquote></div>
</div>
</blockquote>
</body></html>